ci(hot-cluster): add IPI prerequisite checks to IAM diagnostics

galkremer1 · cursoragent · galkremer1 · commit bb89825b6282 · 2026-06-24T13:09:26.000-04:00
Probes VPC, COS, DNS Services, CIS, IAM Identity, resource groups,
and authorization policies to confirm readiness for OpenShift IPI
on IBM Cloud VPC. Run with INFRASTRUCTURE_TYPE=ipi.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/ci-scripts/log-ibmcloud-iam-diagnostics.sh b/ci-scripts/log-ibmcloud-iam-diagnostics.sh
@@ -79,6 +79,83 @@ run_vpc_diagnostics() {
   echo ""
 }
 
+run_ipi_prerequisites() {
+  echo "### IPI Prerequisites Check"
+  echo ""
+  echo "Checking if the account has the resources needed for OpenShift IPI on IBM Cloud VPC..."
+  echo ""
+
+  echo "#### 1. VPC Infrastructure (create VMs, networks)"
+  echo '```'
+  if ibmcloud is vpcs 2>&1 | head -3; then
+    echo "RESULT: VPC access OK"
+  else
+    echo "RESULT: FAILED — need VPC Infrastructure Administrator"
+  fi
+  echo '```'
+  echo ""
+
+  echo "#### 2. Cloud Object Storage (RHCOS images, ignition)"
+  echo '```'
+  if ibmcloud resource service-instances --service-name cloud-object-storage 2>&1 | head -5; then
+    echo "RESULT: COS access OK"
+  else
+    echo "RESULT: FAILED — need COS Administrator"
+  fi
+  echo '```'
+  echo ""
+
+  echo "#### 3. DNS Services (cluster API/ingress records)"
+  echo '```'
+  ibmcloud plugin install dns -f 2>/dev/null || true
+  if ibmcloud dns zones 2>&1 | head -10; then
+    echo "RESULT: DNS Services access OK"
+  else
+    echo "RESULT: FAILED or no DNS zones configured — IPI needs a public DNS zone"
+  fi
+  echo '```'
+  echo ""
+
+  echo "#### 4. Internet Services / CIS (alternative to DNS Services)"
+  echo '```'
+  ibmcloud plugin install cis -f 2>/dev/null || true
+  if ibmcloud cis instances 2>&1 | head -5; then
+    echo "RESULT: CIS access OK"
+  else
+    echo "RESULT: No CIS instances (may use DNS Services instead)"
+  fi
+  echo '```'
+  echo ""
+
+  echo "#### 5. IAM Identity Service (service IDs for cluster components)"
+  echo '```'
+  if ibmcloud iam service-ids 2>&1 | head -5; then
+    echo "RESULT: IAM Identity access OK"
+  else
+    echo "RESULT: FAILED — need IAM Identity Service Administrator"
+  fi
+  echo '```'
+  echo ""
+
+  echo "#### 6. Resource groups"
+  echo '```'
+  ibmcloud resource groups 2>&1 | head -10
+  echo '```'
+  echo ""
+
+  echo "#### 7. IAM authorization policies (service-to-service)"
+  echo '```'
+  ibmcloud iam authorization-policies 2>&1 | head -20
+  echo '```'
+  echo ""
+
+  echo "#### Summary"
+  echo ""
+  echo "If checks 1-5 show OK and check 3 or 4 has a DNS zone, IPI should work."
+  echo "If DNS shows no zones, a domain + DNS zone must be configured first."
+  echo ""
+}
+
 write_diagnostics() {
   echo "## IBM Cloud IAM diagnostics"
   echo ""
@@ -107,7 +184,9 @@ write_diagnostics() {
   echo '```'
   echo ""
 
-  if [[ "${INFRASTRUCTURE_TYPE}" == "vpc" ]]; then
+  if [[ "${INFRASTRUCTURE_TYPE}" == "ipi" ]]; then
+    run_ipi_prerequisites
+  elif [[ "${INFRASTRUCTURE_TYPE}" == "vpc" ]]; then
     run_vpc_diagnostics
   else
     echo "### Classic infrastructure permissions (missing required/suggested)"
